mirror of
https://github.com/torvalds/linux.git
synced 2026-05-25 15:41:52 +02:00
s390/mm: Fix potential use-after-free in __crst_table_upgrade()
The pointer to the mm_struct which is passed to __crst_table_upgrade() may
only be dereferenced if it is identical to current->active_mm. Otherwise
the current task has no reference to the mm_struct and it may already be
freed. In such a case this would result in a use-after-free bug.
Make sure this use-after-free scenario does not happen by moving the code,
which dereferences the mm_struct pointer, after the check which verifies
that the pointer is identical to current->active_mm, like it was before
lazy ASCE handling was reimplemented.
Fixes: 8b72f5a97b ("s390/mm: Reimplement lazy ASCE handling")
Reviewed-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
This commit is contained in:
Heiko Carstens
parent
f049a4f7ff
commit
3919600d32
|
|
@ -40,9 +40,9 @@ static void __crst_table_upgrade(void *arg)
|
|||
struct mm_struct *mm = arg;
|
||||
struct ctlreg asce;
|
||||
|
||||
asce.val = mm->context.asce;
|
||||
/* change all active ASCEs to avoid the creation of new TLBs */
|
||||
if (current->active_mm == mm) {
|
||||
asce.val = mm->context.asce;
|
||||
get_lowcore()->user_asce = asce;
|
||||
local_ctl_load(7, &asce);
|
||||
if (!test_thread_flag(TIF_ASCE_PRIMARY))
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user